CVE-2022-36782

{"id": "CVE-2022-36782", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cna@cyber.gov.il", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.7, "exploitabilityScore": 1.7}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.9}]}, "published": "2022-09-13T15:15:08.723", "references": [{"url": "https://www.gov.il/en/Departments/faq/cve_advisories", "tags": ["Third Party Advisory", "VDB Entry"], "source": "cna@cyber.gov.il"}, {"url": "https://www.gov.il/en/Departments/faq/cve_advisories", "tags": ["Third Party Advisory", "VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Pal Electronics Systems - Pal Gate Authorization Errors. The vulnerability is an authorization problem in PalGate device management android client app. Gates of bulidings and parking lots with a simple button in any smartphone. The API was found after a decompiling and static research using Jadx, and a dynamic analasys using Frida. The attacker can iterate over all the IOT devices to see every entry and exit, on every gate and device all over the world, he can also scrape the server and create a user's DB with full names and phone number of over 2.8 million users, and to see all of the users' movement in and out of gates, even in real time."}, {"lang": "es", "value": "Pal Electronics Systems - Pal Gate. Errores de Autorizaci\u00f3n. La vulnerabilidad es un problema de autorizaci\u00f3n en la aplicaci\u00f3n cliente androide de administraci\u00f3n de dispositivos PalGate. Puertas de edificios y aparcamientos con un simple bot\u00f3n en cualquier smartphone. La API fue encontrada despu\u00e9s de una des compilaci\u00f3n e investigaci\u00f3n est\u00e1tica usando Jadx, y un an\u00e1lisis din\u00e1mico usando Frida. El atacante puede iterar sobre todos los dispositivos IOT para visualizar cada entrada y salida, en cada puerta y dispositivo en todo el mundo, tambi\u00e9n puede raspar el servidor y crear una base de datos de usuarios con nombres completos y n\u00famero de tel\u00e9fono de m\u00e1s de 2.8 millones de usuarios, y visualizar todo el movimiento de usuarios dentro y fuera de las puertas, incluso en tiempo real"}], "lastModified": "2024-11-21T07:13:43.600", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pal-es:palgate:-:*:*:*:*:android:*:*", "vulnerable": true, "matchCriteriaId": "26FE09C7-FD16-4FFB-913D-2E28D0EBD0B4"}], "operator": "OR"}]}], "sourceIdentifier": "cna@cyber.gov.il"}